For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, December 26, 2015

2015 - A look back, and a look forward...

This is my last blog of 2015, so I thought I'd close it out right!

This was another great year in Red Sky Alliance and Wapack
Labs.

Red Sky, as planned, added several new members. Our intent
was never to have thousands, rather a select group who use the portal and the
intelligence that’s provided. So, a few numbers:

Red Sky Alliance has roughly 200
accounts issued. Approximately 10% are issued to Wapack Labs analysts, leaving
~190 accounts. Out of those, an average of 73 people (38%) participate weekly
and about half of those participate daily.Those are staggering numbers in any information sharing environment. Add
to that the idea that in nearly four years, only three Red Sky Alliance members
have left, and those left because of one member was divested and then
dissolved. Another transferred and rejoined after the move. The third, an
intelligence manager, took another job in the company and the intelligence team
went with another service. Our customer satisfaction remains high. The intent
of the Alliance was never to serve the needs of all, rather allow companies who
really want it an opportunity to crowdsource questions, and share intelligence
and analysis. The price has remained stable for the last two years
–significantly lower than others, with the intent of users being ecstatic at the
amount of value that they receive as members. We’re not into politics. We don’t
drive national policy. We want standards but participate in those national
level discussions only tangentially.We
author intelligence and provide it to the members. We stick to our core
competency and charge a fair price; and our members seem to love that.

Wapack Labs has
really grown into its own this year.Wapack Labs was spun out of Red Sky Alliance in 2013 as a place where
our analysts could do other kinds of projects that didn’t fit nicely into the
information sharing construct –professional and tailored intelligence
collection and analysis. The Lab sells intelligence subscriptions in forms that
allow both the board and C-Suite the ability to get fast, one-page sound bites,
and at the same time, corresponding technical reports that the tech teams can
use to protect the company from those reports that their CEO reads.

We added a few new pieces of analysis this year. Targeteer®
reports profile actor groups and its members. From our perspective, there are
dozens of things that can be done outside of the network, without breaking any
laws, to turn off an attacker’s ability to execute. Targeteer® reports offer
our members the information needed to take political, legal, or other actions
as may be desired by their leadership team and counsel.

We started pushing early warning indicators in September. We
love Kill Chain, but many don't understand that while Kill Chain details activities of the breach, it can be used proactively to plan and instrument active defensive campaigns. And because so many don't understand that, if you’re operating in Kill Chain, it may to late for you. To answer that problem we’ve spent a lot of time this year on processes that we’re calling “Getting to the Left
of Kill Chain”. There's a bit of a learning curve, but so far, our pilots have been successful. When our infrastructure is built out, any company will have the
opportunity to log into our new Cyberwatch® system and receive early warning indicators
that they can (should) act on before having their first coffee of the day.

Our desire to push these reports and indicators to larger
audiences has showcased a bit of a problem –the ability to scale in
distribution. Until this year, scaling the ability to perform human driven
analysis has always been the concern. We continue to drive analytic processes.
We’re sourcing hundreds of primary sources of information, and to allow us to
scale, Cyberwatch® will be released as initial operational capability in
January. The goal of Cyberwatch® is to consolidate and create efficiencies.

Today, we offer products as C-Suite offerings in a low cost format delivered on wapacklabs.com. We offer collaboration in Red Sky Alliance, and we offer a query/response indicator repository on ThreatRecon.co. It's confusing even to me! The idea of Cyberwatch® is first to translate information
security into language that anyone can understand, and know at a
glance the implications of growing cyber threats. Second, we’re hoping to solve
the problem of a massive need for victim notifications. The number of victims
seemed to skyrocket this year, and while we’ve done our best to push out
notifications, the numbers are staggering. At the time when I was drafting this blog, another
company was victimized; this time for 13 million accounts. How do 13 million
people get notified that their computers might have been victimized? And if
they knew, what could be done about it? We hope to solve a piece of this problem.

What’s trending?

By far, the biggest activity we saw this year was the
distribution of key loggers globally. As of today, we’ve seen over 12,000
unique infrastructures compromised in over 85 countries around the world. We’ve
seen Nigerian actors compromising systems in every corner of the world and
selling the accounts in TOR based forums. That activity, named by us “Daily
Show” seems to focus on a few geographical locations, primarily targeting the
maritime community (and those supporting the maritime community) in the South
China Sea, maritime routes between Nigeria and the Black Sea, the Nordics, and
the Suez Canal.

Angler has easily been number two. We’ve written several
reports on Angler, and have had readers and conference goers tell us that Angler
delivers roughly 90% of all of the activity seen.

Russian actors have become a tool of the military. Wapack Labs detailed accounts of Russia’s cyber actions in the conflict
with Ukraine. The cyber underpinnings of the activity, in our opinion, track
closely with the Ivanof Doctrine –a plan for using cyber and other information
warfare tools in conjunction with physical activities.

Iran moved into the top of the threat chart. Starting with
the stockpiling of tools to connections with others, Iranian actors appear to
have become the new China with one major difference; Iran isn’t interested in
espionage. And why should they be? They became one of the first cyber sabotage targets in this new era.

Last but certainly not least.We watched this year as attacks turned from
espionage and theft to integrity attacks, with documents manipulated to allow
the movement of goods, services and money. Cyber has indeed converged with the fraud and physical security spaces... and it's only just starting.

Which brings me to my
2016 predictions:

I’ve authored predictions since 2013, and many more
informally before that. I’m running pretty hot right now with nearly all coming
true. Feel free to view previous predictions on our blog at henrybasset.blogspot.com.

So here goes…

Key loggers aren’t anything new but
they’re taking hold in a largely automated way. I’d mentioned in presentations (twice this year), when I followed a consultant who talked about cracking
passwords that passwords don’t mean a thing when there’s a keylogger involved.
And it seems the number of pieces of malware with key loggers built in are
increasing dramatically. Not a rocket science prediction. Common sense.

We witnessed what we believe are the early
indications of a movement from confidentiality motivated attacks (meaning,
espionage) to integrity motivated attacks. This year will be the year of
data manipulation.This is a high
probability, high damage risk prediction. Companies everywhere will lose the
ability to depend on their computing systems to deliver trusted results. This has already proven true in engineering focused industries, but now, enterprise resource management systems, are becoming targets of opportunity, allowing access into any of the multitude of services they connect to.

Customs offices in several countries were
witnessed by Wapack Labs as compromised. One European country’s Visa office was included in that last. This is a major risk to governments everywhere. My
prediction? We’ll see key government organizations in the US and elsewhere
get compromised in places that vet foreign visitors. Documentation will be
generated and delivered. The overarching theme? Fraud is intersecting with
information security. Cyber is simply another tool and the Visa offices are not
exempt.

Resilience has become the name of the
game. Leading edge companies are learning to live with untrusted networks, and
as 2016 unfolds, we’ll see several key companies focusing on their efforts on
resilient networks.We don’t believe
that Chief Information Security Officers will be replaced with Resilience
officers, but taking the role to the next step means ensuring organizations can
survive, operate successfully while under massive attack.

Service accounts aren't getting enough love... but they will. A service account connects two systems not normally accessed by a human. I.e.: One database connecting and querying another requires credentials, but because the process is automated, it will not require human interaction... so credentials are written into the code or query so human interaction is not required. If one database queries another, and the credentials required either do not change, or may not be changed (because they're built into the code), they become highly coveted targets. Many of the larger companies have already addressed this problem. Many of the smaller companies don't have the ability to act on this enormous risk... and the bad guys know it. In industry, think supply chain. In personal accounts, think interconnections between various social and cloud based tools. If you can log into a system, and query using a social media login, or have your home thermostat connected to your iCloud account, you've created a service connection --and it can be exploited.

Systemic risk is the phrase of the year.
Systemic risk means that attackers will find singular points to attack, (probably as a result of staticly credentialed service accounts systems). Need an example? OPM was a wonderful target from systemic perspective. Compromised in such a way that new tech with new thinking was required to identify the breach (math based behavioral anomaly detection), in a target that held such immense importance that nobody would be spared the possibility of targeting. Brilliant! I wish I'd have thought of that when I was in that business.

2016 is going to bring some big things for Red Sky and the Lab. We're hosting our first Threat Day of the year in January in DC, and we expect to debut

Cyberwatch® with our membership. Beyond that, if this works, it's going to transform the way executives look at information security and cyber. So standby. 2016 is going to be transformative... and I can't wait!